LogError writes: A vulnerability of the Passmark Sitekey login approach at Bank of America could permit an attacker to remotely lock out thousands of customers from their online banking accounts. The vulnerability announced today is similar to a DoS attack in that it permits an attacker to remotely "lock out" customers from their online accounts, potentially overwhelming the bank's customer support lines with calls from frustrated customers.

Paper at http://cr-labs.com/publications/ is correct. Sitekey is totally open to man in the middle attacks. The customer service costs in resetting users is large. The upgrade problems refered to in the articles were as a result of trying to improve security, but there were bugs and after those were fixed the new system was killing the database and were disabled.